VYPR

CWE-367

Time-of-check Time-of-use (TOCTOU) Race Condition

BaseIncompleteLikelihood: Medium

Description

The product checks the state of a resource before using that resource, but the resource's state can change between the check and the use in a way that invalidates the results of the check.

Hierarchy (View 1000)

Parents

Children

Related attack patterns (CAPEC)

CAPEC-27 · CAPEC-29

CVEs mapped to this weakness (249)

page 12 of 13
  • CVE-2025-46327Apr 28, 2025
    risk 0.00cvss epss 0.00

    gosnowflake is the Snowflake Golang driver. Versions starting from 1.7.0 to before 1.13.3, are vulnerable to a Time-of-Check to Time-of-Use (TOCTOU) race condition. When using the Easy Logging feature on Linux and macOS, the Driver reads logging configuration from a…

  • CVE-2025-46326Apr 28, 2025
    risk 0.00cvss epss 0.00

    snowflake-connector-net is the Snowflake Connector for .NET. Versions starting from 2.1.2 to before 4.4.1, are vulnerable to a Time-of-Check to Time-of-Use (TOCTOU) race condition. When using the Easy Logging feature on Linux and macOS, the Connector reads logging configuration…

  • CVE-2025-24432Feb 11, 2025
    risk 0.00cvss epss 0.00

    Adobe Commerce versions 2.4.8-beta1, 2.4.7-p3, 2.4.6-p8, 2.4.5-p10, 2.4.4-p11 and earlier are affected by a Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability that could result in a security feature bypass. An attacker could exploit this race condition to alter a…

  • CVE-2025-24430Feb 11, 2025
    risk 0.00cvss epss 0.00

    Adobe Commerce versions 2.4.8-beta1, 2.4.7-p3, 2.4.6-p8, 2.4.5-p10, 2.4.4-p11 and earlier are affected by a Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability that could result in a security feature bypass. An attacker could exploit this race condition to alter a…

  • CVE-2024-50379Dec 17, 2024
    risk 0.00cvss epss 0.44

    Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability during JSP compilation in Apache Tomcat permits an RCE on case insensitive file systems when the default servlet is enabled for write (non-default configuration). This issue affects Apache Tomcat: from 11.0.0-M1…

  • CVE-2024-49768Oct 29, 2024
    risk 0.00cvss epss 0.01

    Waitress is a Web Server Gateway Interface server for Python 2 and 3. A remote client may send a request that is exactly recv_bytes (defaults to 8192) long, followed by a secondary request using HTTP pipelining. When request lookahead is disabled (default) we won't read any more…

  • CVE-2024-45120Oct 10, 2024
    risk 0.00cvss epss 0.00

    Adobe Commerce versions 2.4.7-p2, 2.4.6-p7, 2.4.5-p9, 2.4.4-p10 and earlier are affected by a Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability that could lead to a security feature bypass. An attacker could exploit this vulnerability to alter a condition between…

  • CVE-2024-47813Oct 9, 2024
    risk 0.00cvss epss 0.00

    Wasmtime is an open source runtime for WebAssembly. Under certain concurrent event orderings, a `wasmtime::Engine`'s internal type registry was susceptible to double-unregistration bugs due to a race condition, leading to panics and potentially type registry corruption. That…

  • CVE-2024-0133Sep 26, 2024
    risk 0.00cvss epss 0.00

    NVIDIA Container Toolkit 1.16.1 or earlier contains a vulnerability in the default mode of operation allowing a specially crafted container image to create empty files on the host file system. This does not impact use cases where CDI is used. A successful exploit of this…

  • CVE-2024-30471Jul 17, 2024
    risk 0.00cvss epss 0.01

    Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability in Apache StreamPipes in user self-registration. This allows an attacker to potentially request the creation of multiple accounts with the same email address until the email address is registered, creating many…

  • CVE-2024-28718Apr 12, 2024
    risk 0.00cvss epss 0.01

    An issue in OpenStack magnum yoga-eom version allows a remote attacker to execute arbitrary code via the cert_manager.py. component.

  • CVE-2024-1729Mar 29, 2024
    risk 0.00cvss epss 0.01

    A timing attack vulnerability exists in the gradio-app/gradio repository, specifically within the login function in routes.py. The vulnerability arises from the use of a direct comparison operation (`app.auth[username] == password`) to validate user credentials, which can be…

  • CVE-2023-43741Dec 22, 2023
    risk 0.00cvss epss 0.00

    A time-of-check-time-of-use race condition vulnerability in Buildkite Elastic CI for AWS versions prior to 6.7.1 and 5.22.5 allows the buildkite-agent user to bypass a symbolic link check for the PIPELINE_PATH variable in the fix-buildkite-agent-builds-permissions script.

  • CVE-2023-46725Nov 2, 2023
    risk 0.00cvss epss 0.00

    FoodCoopShop is open source software for food coops and local shops. Versions starting with 3.2.0 prior to 3.6.1 are vulnerable to server-side request forgery. In the Network module, a manufacturer account can use the `/api/updateProducts.json` endpoint to make the server send a…

  • CVE-2023-29337Jun 14, 2023
    risk 0.00cvss epss 0.01

    NuGet Client Remote Code Execution Vulnerability

  • CVE-2023-0778Mar 27, 2023
    risk 0.00cvss epss 0.01

    A Time-of-check Time-of-use (TOCTOU) flaw was found in podman. This issue may allow a malicious user to replace a normal file in a volume with a symlink while exporting the volume, allowing for access to arbitrary files on the host file system.

  • CVE-2022-1537May 10, 2022
    risk 0.00cvss epss 0.00

    file.copy operations in GruntJS are vulnerable to a TOCTOU race condition leading to arbitrary file write in GitHub repository gruntjs/grunt prior to 1.5.3. This vulnerability is capable of arbitrary file writes which can lead to local privilege escalation to the GruntJS user if…

  • CVE-2022-23653Feb 23, 2022
    risk 0.00cvss epss 0.00

    B2 Command Line Tool is the official command line tool for the backblaze cloud storage service. Linux and Mac releases of the B2 command-line tool version 3.2.0 and below contain a key disclosure vulnerability that, in certain conditions, can be exploited by local attackers…

  • CVE-2022-23651Feb 23, 2022
    risk 0.00cvss epss 0.00

    b2-sdk-python is a python library to access cloud storage provided by backblaze. Linux and Mac releases of the SDK version 1.14.0 and below contain a key disclosure vulnerability that, in certain conditions, can be exploited by local attackers through a time-of-check-time-of-use…

  • CVE-2022-23563Feb 4, 2022
    risk 0.00cvss epss 0.00

    Tensorflow is an Open Source Machine Learning Framework. In multiple places, TensorFlow uses `tempfile.mktemp` to create temporary files. While this is acceptable in testing, in utilities and libraries it is dangerous as a different process can create the file between the check…